System and method for dynamically allocating stream identifiers in a multi-encryption transport system

ABSTRACT

The present invention is suitable for use in a multi-encrypted system that dynamically allocates stream identifiers in a second stream depending upon the identifiers in a first stream. The first stream is monitored and counters are incremented with the presence of an identifier. The count for each of the counters is then received. Using the count, a control processor then assigns or revises identifiers in the second stream.

RELATED APPLICATION

This application is a divisional of U.S. application Ser. No. 11/383,373 entitled “System and Method for Dynamically Allocating Stream Identifiers in a Multi-Encryption Transport System” filed May 15, 2006, which issued on Sep. 25, 2012 as U.S. Pat. No. 8,275,132 B2, which is incorporated herein by reference.

U.S. application Ser. No. 11/383,373 is related to U.S. application Ser. No. 11/383,375 also entitled “System and Method for Dynamically Allocating Stream Identifiers in a Multi-Encryption Transport System” filed May 15, 2006, to the same inventors, which issued on Jul. 19, 2011 as U.S. Pat. No. 7,983,417 B2, which is incorporated herein by reference.

FIELD OF THE INVENTION

The present invention relates generally to the field of dual-encrypted streams in a communications system and more specifically towards dynamically allocating stream identifier information of a secondary stream in the system.

BACKGROUND OF THE INVENTION

Cable communications systems typically transmit encrypted data streams according to a single proprietary scheme. Accordingly, cable operators must purchase decryption, or set-top, devices, which reside at the subscriber's premises, that decrypt the data streams according to the proprietary encryption scheme. Obviously, it is to the cable operator's and the subscriber's benefit to be able to source multiple set-tops having different decryption schemes instead of having to choose just a single decryption set-top for the system. In this light, an operator now has an option of installing an overlay system, which allows for multiple encryption schemes and likewise multiple decryption devices that each decrypts one of the encrypted streams.

In an overlay system, however, special precautions should be taken to ensure multiple encrypted transport streams are not in conflict or do not collide. It will be appreciated that in a conventional communications system, there are varying levels of streams that comprise a transport stream. Very generally, a transport stream comprises a plurality of programs where each has a program number. Each of the program streams comprises video, audio, and data elementary streams. Furthermore, each elementary stream comprises video, audio, or data packets. A program number in a program association table (PAT) identifies each program and an associated program map table (PMT). Each PMT then identifies the elementary streams with packet identifiers (PIDs). The program numbers and PIDs are initially chosen out of a well known fixed range of numbers defined in the MPEG specification. Therefore, there exists a chance that two separate transport streams coming from different service providers that are transmitted using the same system, may include common identifiers (e.g., program numbers and PIDs) causing the two streams to overlap, thereby presenting program numbers and/or elementary stream packets that do not have unique identifying stream values, but are intended for two different decryption devices. In this case, a decryption device receives the encrypted stream with packets having different encryption schemes using the same identifier and may try to decrypt the wrong streams, which would then cause several problems. Accordingly, there exists a need to discover, monitor, and dynamically change the identifiers and stream routes in the transport streams in such a system to ensure that conflicts do not arise.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a simplistic block diagram of an overlay system that transports multiple encrypted streams with different encryption schemes to multiple decryption devices.

FIG. 2 illustrates a primary encrypted program association table (PAT) that is periodically transmitted along with the transport stream that the primary decryption devices access in order to locate a desired program and its components in the transport stream.

FIG. 3 illustrates an original overlay PAT that is periodically transmitted along with the transport stream that both the secondary and primary decryption devices access in order to locate a desired program and its components in the transport stream.

FIG. 4 illustrates an updated primary encrypted PAT.

FIG. 5 illustrates an updated overlay PAT having a version 2 in accordance with the present invention.

FIG. 6 illustrates an original overlay program map table (PMT) and an updated overlay PMT in accordance with the present invention.

FIG. 7 is a block diagram of a processing, or encryption, device and control system that monitor, detect, and revise any conflicts in the program numbers and/or packet identifiers in accordance with the present invention.

FIG. 8 is a block diagram of a continuous PID-monitoring processing device that is suitable for use in a GIGA Ethernet or a packet switched environment in accordance with the present invention.

DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT

The present invention will be described more fully hereinafter with reference to the accompanying drawings in which like numerals represent like elements throughout the several figures, and in which an exemplary embodiment of the invention is shown. This invention may, however, be embodied in many different forms and should not be construed as being limited to the embodiments set forth herein; rather, the embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. The present invention is described more fully hereinbelow.

The present invention is suitable for use in a MPEG transport communications system that transmits multiple streams that use different encryption schemes over one system to receiving devices having multiple decryption schemes. The present invention allows for at least two different decryption devices (e.g., a primary set-top and a secondary set-top) to be located in a single system, which transmits streams having a primary encryption scheme and at least one other encryption scheme (i.e., an overlay, or secondary, encryption scheme). Each set-top is designed to decrypt either the primary or the secondary encryption scheme at one time. Prior to combining the multiple streams and in accordance with the present invention, a processing device analyzes the multiple encrypted streams to discover and monitor the program numbers and packet identifiers of the primary and secondary streams to ensure that any conflicts in the overlay streams and identifiers are corrected prior to transmission. More specifically, if a conflict is detected (i.e., the primary stream and the secondary stream have a same program number and/or packet identifier), the present invention dynamically changes the common identifier(s) in the secondary stream to a different identifier that is unique and does not conflict with any of the associated primary encrypted streams. Accordingly, the multiple streams are transmitted having different program numbers and/or packet identifiers. Additionally, the secondary, or overlay, decryption devices in the system are notified of the changed identifier(s) in the secondary stream to ensure proper processing and subsequent display.

FIG. 1 is a simplistic block diagram of an overlay communications system that transports multiple encrypted streams with different encryption schemes to multiple decryption devices. In a headend facility, an overlay encryption device 105, such as, but not limited to, a quadrature amplitude modulation (QAM) modulator, receives a primary encrypted input stream 115 and a matching clear input stream 120. It will be appreciated that several encryption devices exist in the headend facility each receiving a copy of the primary encrypted input steam and the clear input stream according to predetermined configurations; however, only one encryption device 105 is shown for simplicity. The overlay encryption device 105 manipulates the primary encrypted input stream 115 and the clear input stream 120 to provide a partial dual encrypted stream 125 (i.e., a combined overlay output stream). The combined overlay output stream 125 comprises selected packets from the primary encrypted input stream and matching packets from the clear input stream that have been encrypted with a secondary encryption scheme combined with the remaining packets in the clear input stream. For example, 2% of packets included in the primary encrypted stream are chosen from the primary encrypted input stream. Matching packets of the clear input stream are then encrypted with the secondary encryption scheme. The 2% primary encrypted packets and the 2% secondary encrypted packets are then combined providing a 4% combined encrypted overlay stream. The 4% combined stream is subsequently combined with the 98% remaining clear input stream to provide 102% combined content packets in the combined overlay output stream 125. The combined overlay output stream 125 is then provided to multiple decryption devices 130, 135, where some devices 130 may have decryption schemes according to the primary encryption scheme that decrypt the primary 2% encrypted content Other devices 135 may have decryption schemes according to the secondary encryption scheme that decrypt the 2% encrypted content of the secondary encrypted stream. It will be appreciated that both devices 130, 135 receive and process the 98% clear stream. Further information regarding a dual-encrypted communications system can be found in copending U.S. patent application Ser. No. 10/629,839 entitled “Methods and Apparatus for Providing a Partial Dual-Encrypted Stream in a Conditional Access System” filed Jul. 30, 2003, the disclosure and teachings of which are hereby incorporated by reference.

A control system (CS) 140 provides complete management, monitoring, and control of the system's elements and broadcast services provided to users. Specifically in an overlay system, the control system 140 handles the provision and control information between the secondary decryption devices 135 and the overlay encryption device 105. In this manner, the CS 140 controls the output stream program numbers while the encryption device 105 controls all the packet identifiers for the secondary encrypted stream. Accordingly, the CS 140 and the overlay encryption device 105 discover and continuously monitor all program numbers and packet identifiers in the primary encrypted stream, and depending upon any conflicts, the program numbers and packet identifiers for the secondary encrypted stream are dynamically changed to avoid any conflicts in the combined output overlay stream 125.

FIG. 2 illustrates a primary encrypted input program association table (PAT) 200. In an overlay system, this PAT is then parsed, recreated, combined with secondary program information, and then periodically transmitted along with the other components in transport stream 115. The primary decryption devices 130 access the combined overlay PAT 305 in order to locate a desired program and its components in the transport stream. In a non-overlay system, the receiving devices 130 identify and subsequently receive the PAT 200 by its reserved PID value of 0x0 203. The PAT 200 contains a list of all program numbers (PNs) 205 available in that transport stream and their associated program map table (PMT) PID values 210 for each program. A program is also known as a session since sessions reference a specific program in a transport stream. Each PMT PID value 210, for example, a PMT PID value of 0x250, in the primary encrypted input PAT 200 is associated with a PMT 215 that includes the elementary stream PID values of 0x500, 0x510, and 0x520. More specifically, the PMT 215, which is identified by program number 0x20, and associated by the PMT PID value of 0x250, identifies the video and audio packets 220 for the associated program. In accordance with the present invention, the secondary decryption devices 135 will not tune to program 0x20 in the example primary encrypted input PAT 200 and its associated PMT and alternatively accept their intended PAT and PMT values via their respective identifiers.

FIG. 3 illustrates an original output overlay program association table (PAT) (PID 0x0) that is periodically transmitted along with the transport stream that both the secondary and the primary decryption devices access in order to locate a desired program and its components in the transport stream. The output overlay PAT 305 transported in the combined output overlay stream 125 includes a PAT section that comprises the entire primary input encrypted PAT section 315 along with the added overlay program encrypted PAT section 325 for the secondary decryption devices 135. As mentioned, the secondary decryption devices 135 are instructed to tune to the transport stream for their associated program numbers included in the output overlay PAT 305 by looking for the PID value of 0x0 and subsequently searching the overlay program encrypted PAT section 325 for the desired program number (PN). The program numbers then identify program map tables (PMTs) by a PID value that include packet identifiers for the program stream packets in the combined output overlay stream 125.

The primary and secondary PAT sections 315, 325 are combined in the combined overlay output stream 125. The output overlay PAT 305 is shared between the two encryption systems and will contain the entire primary encrypted PAT programs along with the active secondary encrypted programs. The encryption device 105 performs primary encrypted input PID monitoring to dynamically reallocate PID and program number values to avoid any conflicts with the primary encrypted stream 115 in the combined overlay output stream 125. It will be appreciated that the primary encrypted stream PAT section 315 remains untouched and the primary encrypted stream flows without any conflicts between the primary and the secondary encrypted streams.

FIG. 4 illustrates an updated program number in the primary encrypted PAT 400. In conjunction with FIG. 3, it is noted that the updated primary input encrypted PAT 400 now has a program number conflict in the overlay program encrypted PAT section 325 with program number 0x40, which is active in the secondary encrypted stream, and a PMT PID conflict with program number 0x60, which is also active in the secondary encrypted stream. In accordance with the present invention, the conflicts are detected prior to transmitting the primary and secondary encrypted streams.

FIG. 5 illustrates an updated overlay PAT (version 2) 505 in accordance with the present invention. Due to the program number 0x40 conflict, the secondary encrypted output program number 0x40 is changed to a new unused program number 525; in this case program number 0x45 is used. Furthermore, the updated encrypted input PAT program number 0x40 uses a PMT PID value of 0x400. Therefore, the updated primary encrypted stream PMT PID (i.e., 0x400) also conflicts with a PMT PID (i.e., 0x400) associated with program number 0x60 in the secondary encrypted stream. In accordance with the present invention, the conflict is detected, and the PMT PID 0x400 is changed to an unused PMT PID, which in this example is a value of 0x450. The updated output overlay PAT 505 that includes the updated primary encrypted input PAT section 520, the dynamically updated overlay program encrypted PAT section 515, and their associated PMT sections is then transmitted to both the primary and the secondary decryption devices 130, 135.

The updated overlay output PAT 505 having an incremented version number is used to signal the primary and the secondary decryption devices 130, 135 of the changed overlay stream values. Accordingly, the primary decryption devices 130 will correctly tune to program number 0x40 having a PMT PID value of 0x400, and the secondary decryption devices 135 will correctly tune the program stream using the new program number 0x45 having a PMT PID value of 0x200. It will be appreciated that the PMT PID associated with the revised program number 0x45 may not change if the PMT packet identifiers do not conflict with any active encrypted input stream using a PMT PID value of 0x200; therefore, the video and audio elementary packets for program number 0x45 are still located in a PMT using the PID value of 0x200. This is just an example and the algorithm is not limited or required to use the same PMT PID value for the updated stream now using program number 0x45. Additionally, the secondary decryption devices 135 correctly tune to program number 0x60 having an updated PMT PID value of 0x450.

FIG. 6 illustrates an original overlay program map table (PMT) and an updated overlay PMT in accordance with the present invention. The overlay PMT 605 has a PID value of 0x300 that is associated with a program number value of 0x50 shown in FIG. 3. In this example, however, the video PID value of 0x500 conflicts with a primary encrypted PMT PID 0x500 for the primary video stream as shown in the primary encrypted PMT 215 (FIG. 2). In accordance with the present invention, the conflict is detected and the conflicting overlay PID value of 0x500 615 is changed to an unused PID value of 0x550 620. The updated overlay PMT 610 is then transmitted along with the combined overlay output stream 125. The remaining PIDs in the PMT 605 do not require any modification since there is no conflict.

FIG. 7 is a block diagram of a processing, or encryption device 705 that monitors, detects, and dynamically updates the secondary encrypted stream to correct for any conflicts in the program numbers and/or packet identifiers in accordance with the present invention. The example processing device 705 includes two asynchronous serial interface (ASI) input ports using 8192 32-bit counters at each port. A bank of counters 710 receives the primary encrypted input stream 115 and the matching clear input stream 120 through the input ports. Each counter 710(1-n) is used to monitor the primary encrypted input stream PID activity for all 8192 available PID values. In the discovery phase, each counter is originally set at 0. For each program number and packet identifier present in the primary encrypted input stream, a counter 710(1-n) associated with the present program number and every associated packet identifier is incremented by one. The processing device 705 monitors all counter values to detect which counters 710(1-n) have a value of zero and which counters 710(1-n) have a value greater than zero. It can then be determined that the counters 710(1-n) having a value of zero have had no activity and are available for the output overlay programs and packet identifiers for the secondary encrypted overlay output streams. Any counters 710(1-n) having a count value greater than zero indicate PID activity and are currently in use by the primary encrypted stream and, therefore, should not be used in any secondary overlay stream. Using the discovered PID information, the processing device 705 either initially assigns or changes the PAT and PMT sections for the secondary overlay streams to use values that do no conflict with the primary encrypted stream values.

At times, a program number and/or packet identifier in the primary stream may dynamically change and start using new stream PID and/or program number values. For these cases, a monitoring phase continues to monitor the counters 710(1-n) for any updated changes. Accordingly, if a previously unused program number and/or packet identifier is later discovered in the primary encrypted input stream and that new identifier is conflicting with an already assigned identifier in the secondary overlay output stream, the processing device 705 updates the PAT and/or the PMT for the overlay output stream depending upon the stream values that changed. The updated PAT and/or PMT section is then immediately transmitted in the combined overlay output stream 125 to the secondary decryption devices 135 to signal the stream changes. Preferably, the primary encrypted input stream is gated until the updated overlay PAT and/or PMT are transmitted and stream routes are updated to ensure no disruption or conflict prior to the revision. Additionally, it will be appreciated that at some point, the counters 710 a-n may become full; at which point, the counters 710 a-n may be reset and the monitoring phase continues with identifying the program numbers and packet identifiers in use.

A critical packet selector and mapper 720 selects predetermined critical packets of the clear input stream. The critical packets are then encrypted with the second encryption scheme. The secondary encrypted packets are then mapped having an appropriate PID value in the PMT and/or PAT tables in accordance with the present invention. The tables, the primary and secondary encrypted packets, and the clear packets are subsequently multiplexed by multiplexer 725 to provide a combined overlay stream 730.

It will be appreciated that the processing device 705 of FIG. 7 works well in an environment or product that is limited to a small number of input ports. The PID and program number monitoring is performed after powering the processing device 705 and continues to monitor the primary encrypted input streams so the processing device 705 may quickly detect any dynamic PID and/or program number changes that affect the combined overlay output stream 125. Additionally, it is known that in a GIGA Ethernet or packet switching environment, products are designed to support a large number of unique input streams as compared to the ASI environment, which usually only supports a small number of unique input streams. Therefore, a large amount of memory would be required to keep track of the 8192 32-bit PID counters for each of the unique input steams in a GIGA Ethernet or packet switching environment.

FIG. 8 is a block diagram of a continuous PID-monitoring processing device 805 that is suitable for use in a GIGA Ethernet or packet switching environment in accordance with the present invention. Advantageously, the PID-monitoring processing device 805 is capable of receiving many more GIGA Ethernet or packet switched streams that are comprised in the primary encrypted input stream 115 while not requiring an inordinate amount of memory. Additionally, continuous monitoring of the streams will detect any dynamic stream changes after the initial power-up of the processing device 805. Therefore, in accordance with the present invention, the continuous PID-monitoring processing device 805 initially goes through a discovery phase and then continuously monitors the encrypted input stream 115 to detect any dynamic PID changes to the primary encrypted stream and makes changes to the output overlay stream 730, accordingly; thereby, avoiding duplicated PIDs that cause collisions in the combined overlay stream 730.

The continuous PID-monitoring device 805 includes a processor 810 that receives the primary encrypted stream 115. The processor 810 uses a single bit value, which corresponds to 16 bit values that comprise a PID, for each PID and a reset method to determine if any of the 8192 PID streams are active. The PID counters are continuously updated to a set/active state when any PID activity is detected The algorithm reads all the PID bit counters, and then resets all the counters, and enters back into the PID discovery mode. This method will catch the PID activity that fluctuates between active and not active so the PID counter states will not become stale. Using the bit method to indicate and store the PID activity saves memory in comparison to the processing device 705 of FIG. 7 and allows 8192 PID values to be stored in only 1024 bytes of memory. Initially at power up of the PID-monitoring device 805, the PID values of the primary stream are discovered and marked as “in-use.” The in-use values are stored in a table indicating that they are currently allocated, or unavailable. Additionally, unallocated or free PID values are stored in a table that can be used by the secondary overlay steam.

The systems and methods described herein solve any duplicate identifiers by continuously monitoring and subsequently dynamically changing stream identifier values. At times, however, physical routes transporting the steams from the multiple encryption devices 105 may have to be changed in order to ensure that there are no cross stream issues with decryption devices 130, 135 that are currently watching a program. By way of example, assume a secondary decryption device 135 is viewing a baseball game on program number 0x17 with a video PID of 0x50 and an audio PID of 0x51. Due to a PID conflict with an adult channel, which may have just been added to the system, the processing device 705, 805 changes the overlay program number 0x17 that have PIDs 0x500 and 0x501, respectively. If the decryption device 135 doesn't dynamically change its PIDs to the updated PIDs, a cross stream issue will arise and it will begin to decrypt the adult channel having PIDs 0x50 and 0x51. Therefore, it is extremely important that programs are received only by the intended primary and secondary decryption devices 130, 135.

Accordingly, the physical connection between the input and the output of the processing device 705,805 is changed to eliminate a cross stream issue. If the route stays open with the original parameters after the stream changes, this may create the cross strewn issue since the physical connection from the input to the output is not updated. The control of the routes can be in an ASIC, in an FPGA, or code in a processor. The routes are set up to pass the data based on the information in the stream like PID value, User Datagram Protocol (UDP) port value, and Internet Protocol (IP) value. When a specific stream value like an identifier changes, the processing device 705, 805 recognizes the change and updates the route for that stream.

Additionally, a return PID first-in first-out (FIFO) system and method is used to store PID values that are in the process of being deleted and returned to the PID allocation table so that these values are not immediately allocated to any new secondary overlay program that is created. In a preferred embodiment, a 16 bit PID array is used. It will be appreciated, however, that the size can be scaled depending upon the processing device 705, 805 and the application. Each entry in the PID array will hold a PID value to return to the PID allocation table. After the FIFO PID array fills up, the code starts returning the oldest PID value to an unallocated status. The PID values may also be stored in NVM and restored to the PID allocation table and return PID FIFO after powering on the processing device 705, 805. In this manner, cross stream issues are minimized.

It will be appreciated that modifications can be made to the embodiment of the present invention that is still within the scope of the invention. Additionally, the present invention can be implemented using hardware and/or software that are within the scope of one skilled in the art. The embodiments of the description have been presented for clarification purposes; however, the invention is defined by the following claims. 

What is claimed is:
 1. A method for dynamically allocating identifier values by a headend device to a second encrypted stream depending upon a first encrypted stream, the method comprising: determining a plurality of identifier values of the first encrypted stream, wherein the first encrypted stream comprises first encrypted packets; receiving a clear stream at a packet selector; determining critical packets of the clear stream, wherein determining the critical packets comprises determining packets in the clear stream associated with the first encrypted packets; encrypting the determined critical packets of the clear stream with a second encryption scheme to provide second encrypted packets; assigning an identifier value to the second encrypted packets; and determining that the identifier value associated with the second encrypted packets does not conflict with any of the plurality of the identifier values of the first encrypted stream, wherein determining that the identifier value does not conflict with any of the first identifier values comprises: monitoring the first encrypted stream to detect change in the plurality of identifier values, and comparing, in response to detecting change the plurality of identifier values, the changed plurality of identifier values with the identifier value.
 2. The method of claim 1, further comprising: incrementing one of a plurality of counters for each identifier value of the first encrypted stream; providing a count associated with each counter to a processor; and determining from the count all unused counters, wherein each unused counter corresponds to an unused identifier value.
 3. The method of claim 2, further comprising assigning the identifier value to each of the second encrypted packets based on each of the unused identifier value.
 4. The method of claim 3, further comprising mapping the assigned identifier value to one of a program association table and a program map table, wherein the program association table and the program map table are transmitted along with the first and second encrypted packets and selected packets of the clear stream.
 5. The method of claim 4, further comprising: changing, in response to the determination of the identifier value conflicting with one of a changed plurality of identifier values, the conflicting identifier value of the second encrypted packet to an available unused identifier value.
 6. The method of claim 5, further comprising remapping the changed identifier value of the second encrypted packets in one of the program association table and the program map table.
 7. A system comprising: a quadrature amplitude modulation (QAM) modulator configured to receive an encrypted stream encrypted with a first encryption stream and a clear stream, wherein the QAM modulator comprises a encryption device, and wherein the encryption device is configured to: determine a plurality of identifier values associated with the first encrypted stream, wherein the first encrypted stream comprises first encrypted packets; determine critical packets of the clear stream; encrypt the critical packets with a second encryption scheme to provide second encrypted packets; assign an identifier value to the second encrypted packets; and determine that the identifier value associated with the second encrypted packets does not conflict with any of the plurality of the identifier values of the first encrypted stream, wherein determining that the identifier value does not conflict with any of the first identifier values comprises: monitoring the first encrypted stream to detect change in the plurality of identifier values, and comparing, in response to detecting change in the plurality of identifier values, the changed plurality of identifier values with the identifier value.
 8. The system of claim 7, wherein the QAM modulator is further configured to transmit the first encrypted stream, the clear stream, a second encrypted stream comprising the second encrypted packets, and a program map table (PMT) comprising the plurality of identifier values and the second identifier to a customer device.
 9. The system of claim 8, wherein the encryption device is configured to determine the conflict between the identifier value and the plurality of identifier values before the first encrypted stream, the clear stream, the second encrypted stream, and the PMT are sent to the customer device.
 10. The system of claim 8, wherein the encryption device, in response to determination of a conflict between the identifier value and the plurality of identifier values, is further configured to: assign a new identifier value to the second encrypted packets; and modify the PMT to reflect the new identifier values.
 11. The system of claim 7, wherein the QAM modulator comprises a predetermined number of counters, wherein each of the counters are associated with one of a predetermined number of packet identifier values to be used by an input port of the QAM modulator, and wherein the encryption device is further configured to increment a count value of each of a plurality of counters corresponding to the determined plurality of identifier values associated with the first encrypted stream.
 12. The system of claim 11, wherein the count value of zero for a counter represents the corresponding identifier value is not in use.
 13. The system of claim 12, wherein the encryption device is configured to assign the identifier value to the second encrypted packets by: identifying one of the counters having the count value of zero; determining the corresponding identifier value corresponding to the identified one of the counters; and assigning the correspond identifier value to the second encrypted packets.
 14. The system of claim 12, wherein the encryption device further configured to: create a first table comprising a first list of identifiers having the count value greater than zero; and create a second table having a second list of identifiers having the count value of zero.
 15. The system of claim 14, wherein the encryption device is further configured to update the first table and the second table based on the monitoring of the first encrypted stream, wherein updating the first table and the second table comprises moving an identifier from the first table to the second table.
 16. The system of claim 15, wherein the identifier is moved from the first table to the second table in response to the identifier not being used by the first encrypted stream and the second encrypted stream.
 17. The system of claim 15, wherein the identifier is stored in a first in first out (FIFO) after being deleted from the first table and before being added in the second table.
 18. The system of claim 7, wherein packets corresponding to the first encrypted packets in the clear stream are determined as critical packets.
 19. The system of claim 7, wherein random packets of the clear stream are determined as critical packets.
 20. A system comprising: a memory storage, and a processor connected to the memory storage, wherein the processor is configured to: determine a plurality of identifier values associated with the first encrypted stream, wherein the first encrypted stream comprises first encrypted packets; determine critical packets of the clear stream; encrypt the critical packets with a second encryption scheme to provide second encrypted packets; assign an identifier value to the second encrypted packets; and determine that the identifier value associated with the second encrypted packets does not conflict with any of the plurality of the identifier values of the first encrypted stream, wherein determining that the identifier value does not conflict with any of the first identifier values comprises: monitoring the first encrypted stream to detect change in the plurality of identifier values, and comparing, in response to detecting change the plurality of identifier values, the changed plurality of identifier values with the identifier value. 